ID

VAR-202110-0133


CVE

CVE-2021-27395


TITLE

Lack of authentication for critical functions in multiple Siemens products

Trust: 0.8

sources: JVNDB: JVNDB-2021-013657

DESCRIPTION

A vulnerability has been identified in SIMATIC Process Historian 2013 and earlier (All versions), SIMATIC Process Historian 2014 (All versions < SP3 Update 6), SIMATIC Process Historian 2019 (All versions), SIMATIC Process Historian 2020 (All versions). An interface in the software that is used for critical functionalities lacks authentication, which could allow a malicious user to maliciously insert, modify or delete data. Multiple Siemens products are vulnerable to missing authentication for critical functionality.Information is tampered with and service operation is interrupted (DoS) It may be in a state. Siemens Simatic Process Historian is a central filing system of Siemens (Siemens) in Germany

Trust: 2.25

sources: NVD: CVE-2021-27395 // JVNDB: JVNDB-2021-013657 // CNVD: CNVD-2021-77609 // VULMON: CVE-2021-27395

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-77609

AFFECTED PRODUCTS

vendor:siemensmodel:simatic process historian 2019scope:eqversion:*

Trust: 1.0

vendor:siemensmodel:simatic process historian 2013scope:eqversion:*

Trust: 1.0

vendor:siemensmodel:simatic process historian 2014scope:eqversion: -

Trust: 1.0

vendor:siemensmodel:simatic process historian 2020scope:eqversion:*

Trust: 1.0

vendor:シーメンスmodel:simatic process historian 2020scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:simatic process historian 2019scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:simatic process historian 2014scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:simatic process historian 2013scope: - version: -

Trust: 0.8

vendor:siemensmodel:simatic process historian and earlierscope:eqversion:2013

Trust: 0.6

vendor:siemensmodel:simatic process historian sp3 updatescope:eqversion:2014<6

Trust: 0.6

vendor:siemensmodel:simatic process historianscope:eqversion:2019

Trust: 0.6

vendor:siemensmodel:simatic process historianscope:eqversion:2020

Trust: 0.6

sources: CNVD: CNVD-2021-77609 // JVNDB: JVNDB-2021-013657 // NVD: CVE-2021-27395

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-27395
value: HIGH

Trust: 1.0

NVD: CVE-2021-27395
value: HIGH

Trust: 0.8

CNVD: CNVD-2021-77609
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202110-774
value: HIGH

Trust: 0.6

VULMON: CVE-2021-27395
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-27395
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2021-77609
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2021-27395
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.2
version: 3.1

Trust: 1.0

NVD: CVE-2021-27395
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2021-77609 // VULMON: CVE-2021-27395 // JVNDB: JVNDB-2021-013657 // CNNVD: CNNVD-202110-774 // NVD: CVE-2021-27395

PROBLEMTYPE DATA

problemtype:CWE-306

Trust: 1.0

problemtype:Lack of authentication for critical features (CWE-306) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-013657 // NVD: CVE-2021-27395

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202110-774

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202110-774

PATCH

title:SSA-766247url:https://cert-portal.siemens.com/productcert/pdf/ssa-766247.pdf

Trust: 0.8

title:Patch for Siemens SIMATIC Process Historian Authentication Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/294041

Trust: 0.6

title:Siemens Simatic Process Historian Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=166925

Trust: 0.6

title:Siemens Security Advisories: Siemens Security Advisoryurl:https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=e0fc46fc4fdb2069205e9c33ccc0cf23

Trust: 0.1

sources: CNVD: CNVD-2021-77609 // VULMON: CVE-2021-27395 // JVNDB: JVNDB-2021-013657 // CNNVD: CNNVD-202110-774

EXTERNAL IDS

db:NVDid:CVE-2021-27395

Trust: 3.9

db:SIEMENSid:SSA-766247

Trust: 2.3

db:ICS CERTid:ICSA-21-287-09

Trust: 0.8

db:JVNid:JVNVU95938083

Trust: 0.8

db:JVNDBid:JVNDB-2021-013657

Trust: 0.8

db:CNVDid:CNVD-2021-77609

Trust: 0.6

db:CS-HELPid:SB2021101315

Trust: 0.6

db:AUSCERTid:ESB-2021.3457

Trust: 0.6

db:CNNVDid:CNNVD-202110-774

Trust: 0.6

db:VULMONid:CVE-2021-27395

Trust: 0.1

sources: CNVD: CNVD-2021-77609 // VULMON: CVE-2021-27395 // JVNDB: JVNDB-2021-013657 // CNNVD: CNNVD-202110-774 // NVD: CVE-2021-27395

REFERENCES

url:https://cert-portal.siemens.com/productcert/pdf/ssa-766247.pdf

Trust: 2.3

url:https://nvd.nist.gov/vuln/detail/cve-2021-27395

Trust: 1.4

url:http://jvn.jp/vu/jvnvu95938083/index.html

Trust: 0.8

url:https://www.cisa.gov/uscert/ics/advisories/icsa-21-287-09

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2021101315

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.3457

Trust: 0.6

url:https://vigilance.fr/vulnerability/simatic-process-historian-read-write-access-via-authentication-bypass-36636

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/306.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://cert-portal.siemens.com/productcert/txt/ssa-766247.txt

Trust: 0.1

sources: CNVD: CNVD-2021-77609 // VULMON: CVE-2021-27395 // JVNDB: JVNDB-2021-013657 // CNNVD: CNNVD-202110-774 // NVD: CVE-2021-27395

SOURCES

db:CNVDid:CNVD-2021-77609
db:VULMONid:CVE-2021-27395
db:JVNDBid:JVNDB-2021-013657
db:CNNVDid:CNNVD-202110-774
db:NVDid:CVE-2021-27395

LAST UPDATE DATE

2024-08-14T12:12:21.542000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2021-77609date:2022-01-18T00:00:00
db:VULMONid:CVE-2021-27395date:2021-10-19T00:00:00
db:JVNDBid:JVNDB-2021-013657date:2022-09-21T02:55:00
db:CNNVDid:CNNVD-202110-774date:2021-10-22T00:00:00
db:NVDid:CVE-2021-27395date:2021-10-19T01:11:52.747

SOURCES RELEASE DATE

db:CNVDid:CNVD-2021-77609date:2021-10-16T00:00:00
db:VULMONid:CVE-2021-27395date:2021-10-12T00:00:00
db:JVNDBid:JVNDB-2021-013657date:2022-09-21T00:00:00
db:CNNVDid:CNNVD-202110-774date:2021-10-12T00:00:00
db:NVDid:CVE-2021-27395date:2021-10-12T10:15:11.493